Policy Briefing – House and Senate Cybersecurity Proposals
In the wake of recent cyber-attacks on critical infrastructure in the US, such as the Colonial Pipeline ransomware attack in June 2021, and on federal agencies like the Treasury and Commerce Departments in 2020 by Russian actors, several bipartisan bills have been introduced to bolster America’s cyber capabilities and responsiveness to major threats.
In the Senate, Bipartisan bills such as the Homeland Security and Government Affairs Committee’s Cyber Incident Reporting Act of 2021 (S.2875) and the Select Committee on Intelligence’s Cyber Incident Notification Act of 2021 (S.2407) have been introduced to empower the Cybersecurity and Infrastructure Security Agency (CISA) to receive and handle reports of cyber incidents from critical infrastructure owners and operators. However, they differ over how long these entities have to report confirmed cyber incidents. Meanwhile, a more flexible version of the bill from the House, the Cyber Incident Reporting for Critical Infrastructure Act of 2021 (H.R.5440), has been incorporated into the National Defense Authorization Act for the Fiscal Year 2022 (H.R.4350). In contrast to the Senate Intelligence Committee’s bill, which requires entities to report cyber incidents within 24 hours, the House bill prohibits the CISA Director from requiring entities to report cyber incidents any earlier than 72 hours after confirmation.
Many of the large spending bills circulating through Congress also contain key provisions concerning cybersecurity and endow CISA with additional funding to pursue cybersecurity objectives. This includes the annual National Defense Authorization Act (H.R.4350); the Infrastructure Investment and Jobs Act (H.R.3684); and the Reconciliation bill, or Build Back Better Act (H.R.5376). The following is a factual summary of each bill or relevant section within a bill without commentary on the alleged problem they seek to remedy or if they are the appropriate response.
Cyber Incident Reporting Bills as of 10/28/2021
Cyber Incident Reporting for Critical Infrastructure Act of 2021 (H.R.5440)
- Requires that CISA develop rules for critical infrastructure owners to report cyber incidents within 270 days of the bill’s enactment
-
Establishes a Cyber Incident Review Office (CIRO) in CISA that would:
- Receive, aggregate, and analyze reports related to cyber incidents submitted by a critical infrastructure operator (also referred to as a “covered entity”)
- Share information related to cyber incidents with critical infrastructure operators as well as the intelligence community
- Conduct reviews of the details surrounding reported cyber incidents to prevent them from happening in the future
- Review reports for cyber threat indicators that can be anonymized and sent out to appropriate stakeholders
- Publish quarterly reports with its findings and recommendations based on reported incidents
- Optimize the quality of coordination and information sharing efforts
- Provides a liability shield to covered entities that report cyber incidents to CIRO (per the Cybersecurity Information Sharing Act of 2015)
- Gives the CISA Director the authority to issue a civil subpoena to a covered entity that fails to respond to a request for information after seven days
- Prohibits the CISA Director from requiring covered entities to report a cyber incident earlier than 72 hours of confirmation
Cyber Incident Reporting Act of 2021 (S.2875)
- Requires that CISA develop rules for critical infrastructure owners to report cyber incidents within 270 days of the bill’s enactment
- Establishes a CIRO within CISA with provisions largely modeled after those enumerated in H.R.5440
-
Ransomware provisions:
- Requires covered entities to notify the federal government within 24 hours if they make a ransom payment,
- Requires entities that plan on making a ransom payment to first conduct a due diligence review of alternatives
- Directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts to prevent and disrupt ransomware attacks
- Prevents any Federal, State, Tribal, or local government from using cyber incident or ransom payment reports to investigate or take other law enforcement action against the entity that makes a ransom payment
- Requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit
- Requires critical infrastructure owners and operators to report to CISA within 72 hours of them experiencing a cyber incident, after which time the CISA Director may issue a subpoena
Cyber Incident Notification Act of 2021 (S.2407)
- Mandates that the CISA Director define when reporting obligations are triggered within 270 days of the Act’s enactment.
- Designates CISA as the agency to receive cybersecurity notifications from other Federal agencies and critical infrastructure operators
- Requires the CISA Director to establish Cyber Intrusion Reporting Capabilities to facilitate these notifications
- Requires reporting entities to further submit any updated information regarding the cyber incident within 72 hours of discovery until the incident is mitigated
- Grants limited immunity to companies that report cyberattacks, such as the exemption of notifications to CISA from civil or criminal subpoenas as well as disclosures under the Freedom of Information Act
-
Requires federal government agencies, contractors, and critical infrastructure operators to notify CISA within 24 hours of them experiencing a cyber attack
- Entities other than federal contractors that fail to report cyber incidents within 24 hours are subject to daily fines of 0.5% of their gross revenue from the prior year
- Federal contractors are subject to penalties determined by the Administrator of General Services
Spending and Infrastructure Bills
National Defense Authorization Act for Fiscal Year 2022 (H.R.4350)
Sec. 1501. Cyber Threat Information Collaboration Environment
- Establishes an information sharing and collaboration environment to enable entities to identify, mitigate, and prevent malicious cyber activities
-
Requires the Secretary of Homeland Security, acting through the CISA Director and in coordination with the Secretary of Defense and Director of National Security, to:
- identify, inventory, and evaluate existing Federal sources of classified and unclassified info on cybersecurity threats
- Coordinate with private sector critical infrastructure and other relevant entities to identify private sector cyber threat capabilities, needs, and gaps
- Evaluate current programs to identify, analyze, and monitor cyber threats
- Begin implementing the information sharing environment within one year of the evaluation’s publication
-
Creates a “Cyber Threat Data Standards and Interoperability Council,” chaired by the Secretary of Homeland Security, to establish data standards and requirements for public and private sector entities participating in the information sharing environment
- Other members of the Council include the CISA Director, Secretary of Defense, Director of National Intelligence, and other public and private sector entities appointed by the President
-
Requires the council to:
- Identify, designate, and periodically update programs that will participate in or be interoperable with the information sharing environment
- Establish a Data Governance committee to establish procedures and data governance structures to protect sensitive data
- Submit recommendations to the President to support the operation, adaptation, and security of the information collaboration environment
Sec. 1535: Cyber Incident Review Office
- Incorporates language from H.R.5440 (Cyber Incident Reporting for Critical Infrastructure Act of 2021) on the establishment of a CIRO within CISA
Sec. 1536. CISA Director Appointment and Term
- Incorporates language from H.R.5186 (CISA Leadership Act) establishing that the Director of CISA is to be appointed by the President by and with the advice and consent of the Senate for a term of five years.
Sec. 6222. State and Local Cybersecurity Grant Program
- Incorporates language from H.R.3138 (State and Local Cybersecurity Improvement Act)
- Authorizes a new $500 million DHS grant program with a graduating cost-share that incentivizes states to increase cybersecurity funding
- Requires CISA to develop a strategy to improve the cybersecurity capabilities of State, local, Tribal, and territorial governments by helping them identify relevant Federal resources and setting baseline cybersecurity objectives, among other methods
- Mandates that State, Tribal, and territorial governments develop comprehensive Cybersecurity Plans to which grant money would then apply
- Creates a State and Local Cybersecurity Resiliency Committee comprised of representatives of those governments to advise CISA of their unique needs
- Requires CISA to assess the feasibility of hosting State, local, Tribal, and territorial government employees in cyber workforce positions at CISA as part of a short-term rotation program
Sec. 7505. Vulnerability Disclosure Policy and Bug Bounty Pilot Program
- Incorporates language from H.R.3313 (Hack Your State Department Act) establishing a Vulnerability Disclosure Process (VDP) and “Bug Bounty” Pilot Program at the Department of State to identify and report vulnerabilities related to cybersecurity
-
Requires the Department of State to submit a report on the VDP within 180 days of the VDP’s establishment and annually for the next five years, which will include:
- The number and severity of all security vulnerabilities reported
- The number of previously unidentified security vulnerabilities remediated as a result
- Any outstanding, previously unidentified vulnerabilities along with remediation plans
- The average length of time between reporting and remediation
- The resources used by the State Department to implement the VDP and complete remediation
- Establishes a one-year “bug bounty” pilot program at the Department of State within one year of the NDAA’s enactment, tasked with identifying security vulnerabilities at the State Department, the results of which are to be reported to the House and Senate Foreign Relations Committees within 180 days of the program’s completion
Build Back Better Act (H.R.5376)
Sec. 31102. Establishment of Next Generation 9-1-1 Cybersecurity Center
- Includes language first introduced by H.R.1848 (LIFT America Act) to introduce “Next Generation 9-1-1” programs that would revamp the nation’s 9-1-1 emergency response system
- Provides $80 million towards establishing a Next Generation 9-1-1 Cybersecurity Center to coordinate with covered State, local, and regional governments on the sharing of cybersecurity information about strategies to detect and prevent cyber intrusions
Sec. 50001. Cybersecurity and Infrastructure Security Agency
-
Provides $865 million in funding for CISA, broken down as follows:
- $50 million for support of the Multi-State Information Sharing and Analysis Center
- $25 for operating a cyber range
- $25 for the execution of a national multi-factor authentication campaign
- $400 million for the implementation of Executive Order 14028 (On Improving the Nation’s Cybersecurity), including the implementation of multi-factor authentication, endpoint detection and response, improved logging, and securing cloud systems
- $50 million for expansion and operation of the Crossfeed program
- $75 million for expansion and operation of the CyberSentry program
- $10 million for performing activities in support of the development of the continuity of the economy plan required under section 9603(a) of the 2021 NDAA
- $20 million for expanding programs working with international partners on the protection of critical infrastructure
- $50 million for researching and developing a means to secure operation technology, including industrial control systems, against cybersecurity vulnerabilities
- $100 million for cybersecurity workforce development and education
- $60 million for enhancing the cloud architecture, migration advisory services, and cloud threat hunting capabilities of the agency
Sec. 90009. National Aeronautics and Space Administration Oversight and Cybersecurity
- Earmarks $7 million of NDAA-appropriated funding to NASA for information technology security and cybersecurity activities
Sec. 90010. National Institute of Standards and Technology Research
- Provides the National Institute of Standards and Technology $1.195 billion so long as $150 million is made available for cybersecurity research and activities
Infrastructure Investment and Jobs Act (H.R.3684)
Sec. 11510. Cybersecurity Tool; Cyber Coordinator
-
Requires the Administrator of the Federal Highway Administration to do the following within 2 years of the bill’s enactment:
- Develop a tool to assist transportation authorities to identify, detect, and protect against cyber incidents within 2 years of this bill’s enactment
- Designate an office as a “cyber coordinator” responsible for monitoring, alerting, and advising transportation authorities of cyber incidents
Sec. 40121. Enhancing Grid Security Through Public-Private Partnerships
- Creates a program to assess the physical security and cybersecurity of electric utilities
- Calls for a Report on Cybersecurity of Distribution Systems to be drafted by the Department of Energy for Congress
Sec. 40122. Energy Cyber Sense Program
- Establishes a voluntary Energy Cyber Sense program to test the cybersecurity of products and technologies intended for use in the energy sector
Sec. 40123. Incentives for advanced cybersecurity technology investment
- Establishes incentive-based rate treatments for the transmission and sale of electricity in interstate commerce by public utilities by encouraging them to invest in advanced cybersecurity technology and participating in cyber threat information sharing programs
Sec. 40124. Rural and municipal utility advanced cybersecurity grant and technical assistance program
- Provides $250 million towards the establishment of the “Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program” to provide grants and technical assistance to eligible rural utility entities to protect against, detect, respond to, and recover from cybersecurity threats
Sec. 40125. Enhanced grid security.
- Provides $250 million towards establishing a program to develop advanced cybersecurity applications and technologies for the energy sector to identify and mitigate vulnerabilities and advance the security of energy grids
- Establishes a $50 million Cyberresilience Program to enhance and periodically test the emergency response capabilities of the Department of Energy and its coordination with other agencies and private industry, as well as provide technical assistance to electric utilities for assessing cybersecurity capabilities
- Grants $50 million for an advanced energy security program to secure energy networks including electric, natural gas, and oil networks to identify potential vulnerabilities and mitigate them
Sec. 50113. Cybersecurity support for public water systems
- Develops a Technical Cybersecurity Support Plan for public water systems
Sec. 70602. Declaration of a significant incident
-
Includes language from S.1316 (Cyber Response and Recovery Act of 2021) and provides $100 million over 5 years for the establishment of a Cyber Response and Recovery Fund
- Provides response and recovery support for cyber incidents impacting Federal, State, local, and Tribal entities on a reimbursable or non-reimbursable basis, including technical assistance and grants decided by the CISA Director for recovery and response
- Allows the National Cyber Director to declare a “significant incident” when there is a devastating cyber-attack and provides funds to affected entities to respond and recover from the incident
Sec. 70612. State and Local Cybersecurity Grant Program
- Incorporates language from H.R.3138 (State and Local Cybersecurity Improvement Act) and acts similar to Sec.6222 of the 2022 NDAA (State and Local Cybersecurity Grant Program)
- Provides $1 billion over 4 years towards the establishment of a State and Local Cybersecurity Grant Program at the Department of Homeland Security
- Awards grants to eligible entities to address cybersecurity risks and threats to information systems owned or operated by State, local, or Tribal governments
- Requires applicants to submit a Cybersecurity Plan detailing how they will incorporate new cybersecurity strategies to mitigate potential future attacks
Division J – Appropriations
- Provides $21 million to the Office of the National Cyber Director for FY 2022 to carry out the purposes of Sec. 1752 of the 2021 NDAA (National Cyber Director)
- Provides an additional $35 million to CISA for “Operations and Support” until 2026 for risk management operations and stakeholder engagement and requirements
Share
Read Next
Support Research Like This
With your support, BPC can continue to fund important research like this by combining the best ideas from both parties to promote health, security, and opportunity for all Americans.
Give NowRelated Articles
Join Our Mailing List
BPC drives principled and politically viable policy solutions through the power of rigorous analysis, painstaking negotiation, and aggressive advocacy.